Cyber experts urge SMEs to adopt risk tools amid rising threats

A cybersecurity webinar hosted by GHD brought together industry experts from the Philippines and the Asia Pacific region to discuss approaches and challenges related to cyber risk management and resilience in critical infrastructure environments.

Eron del Rosario, Critical Infrastructure Cybersecurity Leader – Philippines at GHD, opened the session by outlining its objectives and speakers. He explained his background by stating, "I specialise in creating tailored cybersecurity solutions for various industries. Prior to GHD, I gained valuable experience in providing solutions for managed security operation centres, application security, data protection, identity and access management, and a little bit of threat intelligence. And today, I'm excited to guide you through our webinar where we will explore key insights. Actionable strategies, and real-world practical solutions to tackle current and emerging cybersecurity challenges."

Del Rosario then introduced the panel, including Peter Clissold, Cybersecurity Team Leader – Southern Hemisphere at GHD; Hyun-sik Na, Technical Sales Engineer at Nozomi Networks Asia-Pacific; and Elaine Cruzada, Senior OT Cybersecurity Consultant, GHD. He summarised the technical expertise each speaker brought to the discussion and the relevance of these skills to the resilience of critical systems.

The discussion centred around the slow uptake of cyber risk assessments among organisations in the Philippines, especially among small and medium-sized enterprises (SMEs). Del Rosario noted, "Based on 2023 data, about 99.58% of registered businesses are SMEs, and with large enterprises making just roughly about 0.42%. But regardless of the size, we are faced with the same challenge. And this is going to be around understanding risk, protecting the asset, and maintaining resilience."

He pointed to the National Cybersecurity Plan by the Department of Information and Communications Technology as a starting point, but warned that "only about 1% organisations here in the Philippines reach maturity in cyber resilience. Contrary to that cyber resilience strategy that organisations have, cyber incidents are still increasing and it can cost up to USD $300,000, a figure that can cripple small and medium businesses and heavily impact larger enterprises alike, not to mention the safety risks involved, especially in the critical infrastructure sector."

Peter Clissold explained that cyber risk assessments have not achieved widespread implementation, particularly outside heavily regulated industries. "Smaller businesses, those in sectors such as manufacturing or education, tend to be lagging behind. In the Philippines, the majority of firms are only beginning to recognise the importance of managing their cyber risks. Due to an increase in the number of cyber incidents that are occurring not only in the Philippines but also around the world. Industries like finance, healthcare and energy are more proactive because they do tend to face tighter regulations and are at a higher risk from cyberattacks. But other sectors, without those stringent regulatory pressures may still see cybersecurity risk assessments as an option. Rather than an essential part of their cybersecurity risk management processes," he said.

Clissold added, "Budget is definitely one of those areas that additional costs may be imposed by an organisation if they identify those key risks in their business. And right now, organisations are not only hesitant to perform these risk assessments to identify those gaps, but they potentially haven't allocated enough funds to mitigate the cyber threats moving forward. But in contrast, those cyber threats are there today, whether you've done the assessment or not. And quite often, it'll be a matter of when, not if you get a compromise."

He also observed, "I think a little bit of a gap in understanding of what the regulatory requirements are… but in those less regulated areas, there is still a requirement to protect not only your own assets, but also the assets that are relied upon by your communities that depend on the services that you're providing. So they don't feel that external pressure to invest in the assessment, but fundamentally it's about an understanding or a gap in that knowledge."

Hyun-sik Na took the discussion into practical solutions by introducing Nozomi Networks' offerings, stating, "Nozomi Networks plays a crucial role in securing OT and ICS environments by providing real-time visibility and advanced threat detection and proactive risk mitigation. Our technology continuously monitors network behaviour and quickly identifies vulnerabilities and anomalies, and allows teams to prioritise the response, significantly reducing risk exposure and strengthening overall cybersecurity posture."

Na described the challenges many organisations face: "About 60% of companies in the industry fall into this category, where the most critical need is visibility into the core control network, knowing what asset exists and how they are interconnected." He explained that more mature organisations use tools to segment networks and detect anomalies, while the most advanced proactively manage vulnerabilities using best practices and compliance requirements.

He detailed Nozomi Networks' solution architecture: "It can be installed and operated without any changes to your existing networks, ensuring safe operation without impacting critical facilities... All the collected information is centrally managed by a local management console or our cloud-based Vantage service. The data is automatically analysed and continuously monitored in real time, enabling you to secure a large number of assets and extensive network efficiently with minimal personnel."

During the live demonstration, Na illustrated the benefits of automated asset discovery, risk scoring, and prioritisation. "Nozomi Network's world-class asset identification capabilities automatically determine detailed information such as asset role, security level and how they interact within the networks. This enables security professionals and managers operators to transparently understand how risk score is derived in number. Even more, we can collect all of this information and make one valuable insight in this page. All this information aggregates into a comprehensive company-wide risk score, giving a clear snapshot of your organisation's overall cybersecurity status and allowing for proactive management and improvement," he said.

Elaine Cruzada offered an auditor's perspective from the energy sector. "In the Philippines' energy sector, securing critical infrastructure, particularly in the OT cybersecurity, has always been a top priority despite the challenges of limited resources. From my experience as an auditor, I've seen firsthand how the convergence of IT and OT introduces new vulnerabilities that we simply cannot overlook," she said.

Cruzada highlighted the limitations of manual processes, especially with legacy systems, and described the impact of adopting tools like Nozomi Networks: "The most useful feature of this tool, as I remember, is the asset discovery followed by the real-time monitoring and automated vulnerability assessments. These capabilities have made our risk assessment activities far more efficient and accurate. From an audit perspective, leveraging these tools in our audit methodology has simplified our compliance tracking of regulatory requirements to the ERC and DOE and streamline our audit processes... Overall, tools like Nozomi Networks have been crucial in strengthening our company's security posture and enabling our far more accurate and informed risk assessments."

Clissold later provided a case study from Australia describing how Nozomi tools accelerated and improved the accuracy of asset identification and vulnerability mapping for railway infrastructure, saying, "The output that we gained, it identified undocumented devices, obsolete operating system assets, insecure network protocols. It also helped us identify communications linked between devices that shouldn't be there. And it allowed us to quickly identify significant vulnerabilities and weaknesses in those devices. We were able to use that information to identify product version details and other information about those devices that didn't currently exist in the asset registers either."

He added, "We were able to use that information to make concrete recommendations, prioritise activities, and develop a detailed programme of work. So in summary, it was an important capability that allowed us to complete many months' worth of work in weeks and allowed us to provide guidance based on the facts and not assumptions."

Na concluded by stressing the importance of visibility: "In the OT environment, having the right tools is critical, not only for identifying risk, but also for effectively prioritising them. Without clear visibility, organisations face difficulty understanding their vulnerabilities and struggle to respond proactively. Solutions like Nozomi Networks play an essential role by offering comprehensive visibility across IT, OT, and IoT, whatever platform you have in your environment, in one unified platform."

"These holistic visibilities allow security teams to accurately prioritise risk, quickly respond to threats, and streamline their overall risk assessment process, ultimately enhancing cybersecurity resilience across all environments," he said.